01
Encryption everywhere
TLS 1.2+ in transit. AES-256 at rest for every stored document, handled by the platform.
Security & GDPR
Exactly how 99 Data Rooms keeps your documents safe: where they live, who can reach them, the controls you hold, and the audited platforms it all runs on. No hand-waving.
Built on audited infrastructure
We don't run our own data centres. 99 Data Rooms runs on platforms that are independently audited to the standards enterprise security teams ask for, in a UK region.
Database, storage, authentication and edge functions. Your documents and their data live here, in the London region.
Frontend delivery and DNS, with a web application firewall and DDoS protection in front of every request.
Your primary data lives in the UK (London). Backups are made automatically and encrypted at rest in an EU region, so nothing is lost if something breaks.
The SOC 2 and ISO certifications above are held by Supabase and Cloudflare, our infrastructure providers. 99 Data Rooms runs on their audited platforms and does not claim to have completed those audits itself. Primary data is resident in the UK (London); encrypted backups are held in an EU region. A Data Processing Agreement is available on request.
Our own controls
01
TLS 1.2+ in transit. AES-256 at rest for every stored document, handled by the platform.
02
Every database query is scoped to your identity in Postgres. No cross-tenant leaks by construction.
03
Storage is never public. Access is granted through signed URLs that expire in minutes, re-issued per view.
04
Email gate, one-time-code verification, NDA acceptance, expiry, max views and one-click revocation.
05
Cloudflare WAF and IP rate limiting on every public endpoint; isolated edge runtime for server logic.
06
A page-by-page visit log per share link, retained 24 months, visible in your own analytics. Signed documents carry their own audit page: every field value captured, with a per-field timestamp, signer IP and intent-to-sign consent.
Responsible disclosure
Email datarooms@99developer.com with reproduction steps. We acknowledge within one business day and remediate critical issues within seven days. No bounty yet, but we will credit you.
Compliance, plainly
DPA available on request, see /legal/dpa.
“Security on a document-sharing product is a hygiene bar, not a marketing one. We publish what we actually do, name the platforms we stand on, and sign a DPA on request.”